If you have a teenager at home, you may have come across the online game Among Us. Set on a space station, players run around as identical-looking aliens – that is, until one player gets bumped off. The remaining players then must guess which one of their fellow players is a mole wreaking havoc.
An old idea with a modern makeover, the online game isn’t a million miles away from the new frontier of cyber threats: supply chain attacks. From CloudHopper to SolarWinds, businesses have seen email fraud and account compromise bring down entire systems. Most worryingly of all, companies can no longer simply rely on their own security systems – all it takes is a cyber security chink in the supply chain for sensitive data to be leaked to criminals.
Our industry isn’t naive to the rising number of attacks capitalizing on our ever-increasing interconnectivity. As businesses small and large share data and assets at scale, our collective vulnerabilities multiply, becoming more attractive targets for attackers hoping to see the dominoes fall one by one.
A primary method used by criminals to attack supply chains is impersonation, which can be remarkably sophisticated. Cybercriminals can spend months stalking employees’ social media accounts and company press releases to work out details of a supply chain, deducing where they might insert themselves to fraudulently divert invoices or encourage employees to engage with phishing scams.
While global businesses may have the resources to employ cyber security teams that can assess and contain the risk of attacks such as these, increasingly, criminals are targeting smaller companies lower down the chain as backdoors to sensitive consumer data.
Cyber security professionals have come under immense pressure over the past 18 months to manage the threat on multiple fronts. Whereas 10 years ago, only the most sophisticated cyber criminals – usually sponsored by hostile states – could cripple national infrastructure and global business, individual hackers carrying out ransomware attacks now represent a more significant risk to UK national security, according to the National Cyber Security Centre.
So how can we ensure that cyber security remains robust down the entire length of supply chains? Businesses must acknowledge their shared responsibility to ensure the supply chain is cyber-secure. All companies have a responsibility to secure themselves to protect their stakeholders, clients, and customers. However, according to the DCMS Cyber security breaches survey published in March 2021, only 12% of UK businesses have assessed the cyber security risk posed by their suppliers.
That is a sobering statistic and reflects a general attitude among C-suite executives that cyber security is still but a secondary consideration for management. A common concern raised by CISOs is the lack of resources to adequately protect company systems, let alone assess suppliers’ methods.
We, therefore, need a shift in emphasis. It is no longer excusable to scapegoat under-resourced cyber security departments or naturally expect suppliers to be sufficiently secure. Cyber security, including assessing cyber security compliance all the way down the supply chain, should be integral to every business operating in today’s ever more online world, and suppliers need to be held to minimum cyber security requirements.
As cyber-attacks become more frequent and sophisticated, businesses must ensure they are not left behind. Now more than ever, companies should take advantage of the prolific knowledge-sharing projects within the cyber security industry, such as SASIG, to stay updated and alert to the latest threats. It is also vital that the sector hear its voice as the government considers its new cyber security strategy.